Systems security for scientific exploration and production (E&P) workstations has become a very important topic at geo-science and exploration and production meetings. The recent distributed denial of service (DDoS) attacks on organizations such as AOL and Yahoo have made it clear that industry firms must not only secure their own systems and data, but ensure their systems are not attacking others. What can individuals and firms do to protect their systems?
Suppose a geoscientist receives an e-mail, which contains a "joke" program that displays a graphic cartoon. The geoscientist plays the program, laughs at the joke, and goes on about his business. What he or she doesn't know is that the program not only displayed the cartoon, but it also started a background task that is evaluating system security.
The same sort of problem exists with all platforms. In certain versions of Solaris, a security bug in the program "ufsrestore" allows a user to start a "shell" as the super-user. This shell does not appear on the screen, but runs as a background task. Suppose the "joke" determines that the appropriate security patches have not been applied, and that the program can use the "ufsrestore" program.
Since it is now running as the super-user, the program can install a "root kit." A root kit is a set of programs that replace the standard tools of Solaris (or other systems) with special versions that do not reveal the intruder's presence. Some of the commands replaced are "ps," "ls," "top," and so on. The root kit also creates a special way that an unauthorized user can get into your system as the super-user without knowing the official password.
Since the program has access to everything in your system, it can find out anyone who sends you e-mail. It can send the original joke program to all these people as though it came from you. Now, their systems also are compromised. The attack program looks through your application software in search of places to hide additional compromise programs, so that even if you delete the root kit and reinstall the operating system, it can use your applications software to re-infect your system. They even find ways to hide in your data files.
The virus spreads
Now the program goes dormant for several months, so that you will not notice it until it has replicated itself on all your backup tapes. After a period of time, the program wakes up and starts sending e-mail to another site, for example, the US Federal Bureau of Investigation (FBI). It only sends one or two messages per minute, so you won't even notice the change in the system load. The problem is that all your systems, and a lot of friends' systems (those who got the "joke" program) and a lot of their friends' systems, are all sending mail to the FBI. Soon, FBI computers are overwhelmed with all these useless messages and people who need to send valid messages to the FBI can't get through. This is one type of DDoS attack.
The FBI has good security people and even more lawyers, so they figure out that your site is one of the sites sending this email. They call you up, and are very polite. They say they know you aren't aware this is going on, but you are going to have to stop it.
The problem is that a remedy not only involves a re-installation of the operating system, but all the applications as well. In addition, all data has to be reloaded "from scratch," because the compromised backup tapes cannot be used. All of the backup tapes must be discarded so that they cannot be accidentally used (re-installing the intruder).
An attack such as this can cause weeks of downtime, the loss of hundreds of man-years of geoscience interpretation, and possibly the collapse of the business. The intruder did not want to steal the interpretations; he or she might not have even known or cared that the target site was an oil company. Imagine if the "I Love You" virus had quietly installed a DDoS program.
How compromises occur
Eighty percent of information security compromises come from within a company or bypass the firewall. Compromises from within aren't always disgruntled employees or troubled people; they may result from an employee who is not sufficiently aware of security. In many companies, the direct connection to the Internet is protected by a firewall, but there are modems attached to personal computers that go straight to the telephone network.
An intruder with a "war dialer" can call company telephone numbers in search of a modem tone. When it finds one, it can access the computer in various ways without the user's password. All individual computers, desktops, and servers must be secured to prevent such access. Eliminating or controlling any modems that bypass the firewall is a critical part of securing your system.
Firewalls only protect against certain types of attacks. To be effective, firewall software must be kept up to date and the rules have to be as tight as possible. Firewalls check to see that outside connections have different addresses than inside connections and they prevent traffic from passing for certain "sockets" or "ports."
A single firewall has to allow a wide range of traffic for exploration, engineering, marketing, secretaries, and other users. A socket that has a certain valid reason for being open for the marketing department, for example, may access a different program on the exploration servers. If a single firewall applies to all systems, someone could use a port that is legitimately open for one system to attack a different system in your network.
Firewalls are cheap, at least compared to E&P level desktop computers, and certainly compared to the value of data. Consider using additional firewalls to restrict traffic within a network. It is not a matter of trust; it is a matter of due diligence.
The operating system is not the only thing that needs to be secure; applications (often from third-party vendors) need to be secure also. An application program with security vulnerability can provide an intruder privileged access to systems or networks.
Many E&P software vendors give little or no thought to security, partly because customers rarely demand it. Many vendors use license "daemons," database programs, or interprocess communications services that run as privileged users (on Unix "root"). An intruder could access the license daemon, exploit a buffer overflow, and establish a super-user connection. It is important to restrict the privileges of programs like these by running them with a special low privilege account.
"Single password systems" coordinate all the various platforms and machines, so that each user can use the same password on each machine. The problem with this technique is that passwords are easily broken on some systems.
If all the users use the same password on all types of systems, and an intruder breaks the easiest system, then he or she can move right into the rest of the network.
A password changing script can be used to enforce a complicated password. The script can use samba or some similar technique to ensure that the passwords are different between Unix and Windows NT. Systems should be fixed before a compromise materializes.
The first thing is to have an appropriate use and security policy. This policy must be published to anyone who uses or administers your systems and must be enforced from the top down. If a manager can walk in and demand an exception to the rules or that security be turned off because a project deadline is pressing, you might as well not waste your time. SAGE (the Systems Administrator's Guild) publishes a book of sample policies including a security policy. SANS Institute (Systems and Network Security) also provides sample policies and even classes on writing proper security policies.
Consider hiring a company, such as a large accounting firm, to test system security. IT administration needs to know what is wrong before it can be fixed. Many IT personnel in the E&P business are very strong and capable in managing data and scientific applications, but have had little or no training in systems security. They may be very surprised to find out just how open their systems are. There are four major elements to protecting a computing facility:
- Run an evaluation program to identify security problems from the inside. Use Satan, COPS, or one of several commercial packages.
- Run an evaluation program to test vulnerabilities from the outside. Use nmap.
- Monitor and prevent improper access from each system, desktop or server. Use tcp wrappers, PAM, or Tripwire.
- Monitor and prevent improper access from a central system. Use a firewall.
An effective security system uses features from all four elements. A security consultant can recommend appropriate tools for a system. Visit with software application vendors and make sure they understand that you care about security.
Common vulnerabilities include programs or files with unnecessary privileges and "buffer overflows." Buffer overflows are a result of poorly written programs in C or C-like languages, regardless of the operating system.
Many application vendors receive a lot of pressure to make software faster or easier to use, but little pressure to make it secure. Developers may be very good at making powerful software easy to use, but may be very naive about security.
It is common in the E&P industry for an applications software vendor to supply the system hardware and operating system as a package with the application. These systems are often configured for the convenience of the installer or support staff, with little thought being given to security. This may not be a problem with an isolated system, but if this system is later connected to a network or given a modem, security must be addressed.
Security is an ongoing process. Personnel need to be trained and routinely receive refresher training as new problems are discovered. Consider training such as that offered by the SANS Institute (Systems and Network Security), a non-profit industry security group. Also get on the security mailing lists with your various hardware and software vendors. Colleges also offer security courses, often in continuing education formats.
Security is not something you can set and forget. First, the indirect use of your system to attack others (DDoS) may be a greater risk than a direct attack. Second, third party application software is a leading source of vulnerabilities; it isn't just the operating system.
An active program involves the entire staff, platform vendors, applications vendors, support personnel, data suppliers, and others. E&P firms need a policy that can be enforced and adhered to. New vulnerabilities are discovered every day, so IT personnel must be current in training and patches. It may not be much fun, but such vigilance is better than losing data, systems, jobs, or even a company.
About the author
Will Morse is Senior Systems Advisor Exploration Systems at Anadarko Petroleum and can be reached at Tel: 281-874-8825 in Houston, Texas.